ShmooCon 2012: Raising The White Flag

Raising The White Flag

:: Bypassing Application White Listing

– Curt Shaffer and Chris Cuevas

NOTE: The video of this talk has now been made available over at the ShmooCon website.

More and more people are seeing application whitelisting in their environments. Despite what marketing people say, these solutions don’t stop APT and other advanced threats. This talk is designed to shine a light on the issues with whitelisting.

Whitelisting is often touted as a replacement for AV. Despite the fact that something better than AV is needed, application whitelisting isn’t the solution. Their purpose seems good, for the execution is lacking. Things are headed in the right direction, but using simple bypass techniques it’s possible to bypass these whitelisting protections.

The following application whitelisting tools were tested.

Bit9 Parity 6.0.0

McAfee Application Protection

Microsoft Applocker

Methodology

Windows File Protection

File Naming Fun

Iexpress packagng

Java Exploits/Malware

Flash Exploits/Malware

Adobe Exploits/Malware

JavaScript

VBA

Raw Shellcode

Powershell

Some other things were excluded due to time constraints (including HTML5, CD-ROM ISO masquerading, Digitally Signed Malware).

Bypassing Techniques Attempted

ActiveX

PDF attacks

Spawning shell

Office documents

VBscript Macros

Shellcodexec

Inject shellcode into memory

JAVA

Applet

Exploit

JavaScript

BeEF hook

Firefox Extension

Powershell

Run script by piping into powershell.exe

DLL Injection

Shellcode injection

Chrome Extension

Man-in-the-Middle

Sniff, modify, replay

This is all know. We’ve been pissing on AV for a long time. Time to piss on whitelisting as well.

Links

Disclaimer

The contents of this personal blog are solely my own opinions and comments, as such they do not reflect the opinions of my employer(s) past, present or future. No legal liability is accepted for anything you do, think, or consider fact as the basis of articles and links posted on this blog.

"Three to one...two...one...probability factor of one to one...we have normality, I repeat we have normality. Anything you still can’t cope with is therefore your own problem."

Note: A large portion of content I post on my blog comes from "live blogging" of security conferences. These posts are in notes form and are written live during a talk. As such errors and emissions are expected. I'm only human after all!